Académique Documents
Professionnel Documents
Culture Documents
Users
vs
Infrastructure
We
oNen
measure
the
network
by
observing
infrastructure
and
inferring
end
user
behaviour
because
its
oNen
easier
to
instrument
infrastructure
For
exampleDNSSEC
We
can
walk
zone
les
and
count
the
number
of
signed
zones
Or
we
could
analyze
the
log
les
of
authorita7ve
name
servers
for
a
signed
zone
and
aVempt
to
infer
something
about
the
number
of
users
who
use
DNSSEC
to
validate
DNS
responses
But
can
these
sort
of
approaches
measure
the
popula7on
of
end
users
who
are
served
by
DNSSEC-valida7ng
resolvers?
Time/Loca7on/Context tuned
Aim to ll budget
22/Mar
4000
3000
2000
1000
0
00:00
02:00
04:00
06:00
08:00
10:00
12:00
14:00
16:00
18:00
20:00
22:00
16
00:00
22/Mar
23/Mar
4000
3000
2000
1000
0
00:00
02:00
04:00
06:00
08:00
10:00
12:00
14:00
16:00
18:00
20:00
22:00
17
00:00
22/Mar
23/Mar
24/Mar
4000
3000
2000
1000
0
00:00
02:00
04:00
06:00
08:00
10:00
12:00
14:00
16:00
18:00
20:00
22:00
18
00:00
22/Mar
23/Mar
24/Mar
25/Mar
4000
3000
2000
1000
0
00:00
02:00
04:00
06:00
08:00
10:00
12:00
14:00
16:00
18:00
20:00
22:00
19
00:00
23/Mar
24/Mar
25/Mar
26/Mar
27/Mar
28/Mar
29/Mar
30/Mar
31/Mar
01/Apr
4000
3000
2000
1000
0
00:00
02:00
04:00
06:00
08:00
10:00
12:00
14:00
16:00
18:00
20:00
22:00
20
00:00
Collected
Data
Per
Server,
Per
Day:
hVp-access
log
(successfully
completed
fetches)
dns.log
(incoming
DNS
queries)
Packet
capture
All
packets
Caching
Caching
(generally)
defeats
the
intent
of
the
measurement
DNS
behaviours
e.g.:
DNSSEC
use,
DNS
resolu7on
performance
On
to
Some
Results
December
2013
Presented:
5,683,295
experiments
Reported:
4,978,929
experiments
that
ran
to
comple7on
Web
+
DNS
query
log
results
for
clients:
Performed
DNSSEC
signature
valida7on
and
did
not
fetch
the
invalidly
signed
object:
6.8%
Fetched
DNSSEC
RRs,
but
then
retrieved
the
invalidly
signed
object
anyway:
4.7%
Did
not
have
a
DNSSEC
clue
at
all
-
only
fetched
A
RRs:
88.5%
That
means
That
6.8%
of
clients
appear
to
be
performing
DNSSEC
valida7on
and
not
resolving
DNS
names
when
the
DNSSEC
signature
cannot
be
validated
A
further
4.7%
of
clients
are
using
a
mix
of
valida7ng
and
non-valida7ng
resolvers,
and
in
the
case
of
a
valida7on
failure
turn
to
a
non-
valida7ng
resolver!
None&
(%)
18.0% Yemen/
28.2% Sweden/
42.9% Slovenia/
50.9% Estonia/
45.8% Vietnam
55.6% Finland/
60.9% %
o
Czech/Republic
f
clients
who
use
58.6% Luxembourg/
non-valida@ng
64.7% Thailand/
resolvers
70.7% Chile/
68.0% South/Africa
65.2% Ukraine/
68.2% Indonesia/
76.3% Ireland/
63.8% Tanzania
73.3% Colombia/
43.4% Algeria/
53.2% Occupied/Palestinian/T.
63.4% Azerbaijan/
81.3% United/States/of/America
88.5% World
Geo-locate
clients
to
countries,
and
select
countries
with
more
than
1,000
data
points
YE
SE
SI
EE
VN
FI
CZ
LU
TH
CL
ZA
UA
ID
IE
TZ
CO
DZ
PS
AZ
US
XA
Yemen/
Sweden/
Slovenia/
Estonia/
Vietnam
Finland/
Czech/Republic
Luxembourg/
Thailand/
Chile/
South/Africa
Ukraine/
Indonesia/
Ireland/
Tanzania
Colombia/
Algeria/
Occupied/Palestinian/T.
Azerbaijan/
United/States/of/America
World
Geo-locate
clients
to
countries,
and
select
countries
with
more
than
1,000
data
points
CN
SA
MD
FR
NZ
BE
PR
LT
SG
BS
HR
OM
TT
ME
LV
PT
MU
BH
AE
JO
QA
KR
XA
Tests
1,215,241
45,243
3,168
86,888
31,683
15,243
3,521
14,984
36,420
1,158
8,856
6,147
2,497
3,552
2,041
17,641
3,452
4,231
47,996
10,527
15,975
668,885
5,331,072
China2
Saudi2Arabia
Republic2of2Moldova
France2
New2Zealand
Belgium2
Puerto2Rico
Lithuania2
Singapore2
Bahamas2
Croatia2
Oman2
Trinidad2and2Tobago
Montenegro
Latvia2
Portugal2
Mauritius
Bahrain2
United2Arab2Emirates
Jordan2
Qatar2
Republic2of2Korea
World
Geo-locate
clients
to
countries,
and
select
countries
with
more
than
1,000
data
points
Most
importantly
Rank CC&Code
Tests
Validating
Mixed
None
Country
Australia&
35
AU
22,173
10.72
2.68
86.6
101
NZ
31,683
1.57
15.04
83.39
New&Zealand
Why
is
it
that
7%
of
users
performing
DNSSEC
valida7on
is
about
3
7mes
the
number
of
users
who
are
capable
of
using
IPv6?
has
DNSSEC
deployment
been
so
successful
compared
to
IPv6?
DNSSEC&Validation&
Google&Public&DNS
Rank CC&Code
Tests Validating
All& Mixed
None
1
YE
2,279
70.8%
6.5%
5.0% 88.5% Yemen1
2
SE
5,983
67.2%
2.1%
0.4% 97.5% Sweden1
3
SI
5,883
51.0%
5.0%
0.4% 94.7% Slovenia1
%
o
f
v
alida@ng
4
EE
2,132
44.7%
4.2%
1.1% 94.8% Estonia1
5
VN
42.4%
98.7%
1.3%
0.1% Vietnam
clients
114,996
who
6
FI
3,556
2.1%
0.8% 97.1% Finland1
exclusively
use
41.0%
%
oCzech1Republic
f
clients
who
do
not
7
CZ
10,468
30.8%
13.8%
6.5% 79.7%
Googles
P
-DNS
8
LU
1,204
29.8%
15.9%
0.8% 83.3% use
Luxembourg1
Googles
P-DNS
9
TH
110,380
26.8%
15.9%
5.9% 78.3% Thailand1
10
CL
21,167
26.6%
6.2%
0.4% 93.4% Chile1 service
11
ZA
12,398
26.2%
8.0%
3.0% 89.0% South1Africa
12
UA
32,916%
of
25.0%
20.1%
clients
w
ho
use
3.0%
a
76.9% Ukraine1
13
ID
89,331
22.0%
72.2%
8.1% 19.8% Indonesia1
mix
o
f
G
oogles
P
-DNS
14
IE
7,679
20.7%
17.0%
1.1% 81.9% Ireland1
15
TZ
1,724 and
20.7%
5.1%
0.6% Tanzania
other
r94.4%
esolvers
16
CO
25,440
20.3%
12.7%
1.5% 85.8% Colombia1
17
DZ
16,198
19.1%
71.2% 27.7%
1.1% Algeria1
18
PS
8,441
18.5%
51.8% 29.2% 19.0% Occupied1Palestinian1T.
19
AZ
5,095
18.2%
68.5%
9.6% 21.9% Azerbaijan1
20
US
311,740
15.2%
10.6%
2.9% 86.4% United1States1of1America
XA
5,331,072
6.7%
50.2%
7.3% 42.5% World
Google&Public&DNS
All& Mixed
None
6.5%
5.0% 88.5%
2.1%
0.4% 97.5%
5.0%
0.4% 94.7%
4.2%
1.1% 94.8%
98.7%
1.3%
0.1%
2.1%
0.8% 97.1%
13.8%
6.5% 79.7%
15.9%
0.8% 83.3%
15.9%
5.9% 78.3%
6.2%
0.4% 93.4%
8.0%
3.0% 89.0%
20.1%
3.0% 76.9%
72.2%
8.1% 19.8%
17.0%
1.1% 81.9%
94.4%
5.1%
0.6%
12.7%
1.5% 85.8%
71.2% 27.7%
1.1%
51.8% 29.2% 19.0%
68.5%
9.6% 21.9%
10.6%
2.9% 86.4%
50.2%
7.3% 42.5%
Yemen1
Sweden1
Slovenia1
Estonia1
Vietnam
Finland1
Czech1Republic
Luxembourg1
Thailand1
Chile1
South1Africa
Ukraine1
Indonesia1
Ireland1
Tanzania
Colombia1
Algeria1
Occupied1Palestinian1T.
Azerbaijan1
United1States1of1America
World
Google&Public&DNS
All& Mixed
None
6.5%
5.0% 88.5%
2.1%
0.4% 97.5%
5.0%
0.4% 94.7%
4.2%
1.1% 94.8%
98.7%
1.3%
0.1%
2.1%
0.8% 97.1%
13.8%
6.5% 79.7%
15.9%
0.8% 83.3%
15.9%
5.9% 78.3%
6.2%
0.4% 93.4%
8.0%
3.0% 89.0%
20.1%
3.0% 76.9%
72.2%
8.1% 19.8%
17.0%
1.1% 81.9%
94.4%
5.1%
0.6%
12.7%
1.5% 85.8%
71.2% 27.7%
1.1%
51.8% 29.2% 19.0%
68.5%
9.6% 21.9%
10.6%
2.9% 86.4%
50.2%
7.3% 42.5%
Yemen1
Sweden1
Slovenia1
Estonia1
Vietnam
Finland1
Czech1Republic
Luxembourg1
Thailand1
Chile1
South1Africa
Ukraine1
Indonesia1
Ireland1
Tanzania
Colombia1
Algeria1
Occupied1Palestinian1T.
Azerbaijan1
United1States1of1America
World
ASN Tests
AS22047
AS16232
AS37457
AS39651
AS12912
AS29562
AS23944
AS45629
AS45758
AS36925
AS7679
AS6849
AS34779
AS198471
AS5466
AS28220
AS5610
AS5603
AS7922
AS51737
AS3249
AS5645
AS1257
AS719
AS1759
DNSSEC&Validation
Validating Mixed None
Google&P3DNS
All Mixed None
5,376
1,818
2,051
860
613
1,263
749
8,759
15,833
1,012
551
6,301
1,043
722
1,463
563
2,094
1,505
43,438
753
1,093
1,993
880
655
1,080
98%
98%
97%
97%
96%
95%
94%
94%
93%
93%
93%
92%
91%
91%
90%
89%
88%
88%
87%
87%
84%
83%
83%
82%
82%
1%
1%
1%
1%
1%
1%
1%
3%
4%
2%
1%
3%
3%
4%
3%
2%
3%
3%
3%
9%
5%
2%
1%
2%
4%
1%
1%
2%
2%
2%
4%
5%
4%
3%
5%
6%
5%
6%
6%
6%
9%
9%
9%
9%
4%
10%
14%
16%
16%
15%
1%
2%
1%
1%
2%
2%
3%
1%
0%
25%
1%
5%
2%
95%
3%
5%
6%
0%
3%
97%
3%
3%
1%
2%
0%
5,331,072
7%
5%
88%
5%
%
of
clients
who
appear
to
use
DNSSEC-valida@ng
resolvers
%
of
clients
who
do
not
use
Googles
P-
DNS
0%
0%
0%
1%
0%
1%
1%
1%
2%
1%
0%
3%
0%
2%
1%
1%
7%
1%
1%
2%
1%
0%
1%
2%
0%
99%
98%
99%
98%
98%
97%
96%
97%
98%
74%
99%
92%
98%
4%
97%
94%
87%
99%
96%
1%
97%
96%
99%
96%
99%
VTR2BANDA2ANCHA2S.A.,2CL,2Chile2
ASN>TIM2TIM2(Telecom2Italia2Mobile)2Autonomous2System,2IT,2Italy2
Telkom>Internet,2ZA,2South2Africa
COMHEM>SWEDEN2Com2Hem2Sweden,2SE,2Sweden2
ERA2Polska2Telefonia2Cyfrowa2S.A.,2PL,2Poland2
KABELBW>ASN2Kabel2BW2GmbH,2DE,2Germany2
SKYBB>AS>AP2AS>SKYBroadband2SKYCable2Corporation,2PH,2Philippines2
JASTEL>NETWORK>TH>AP2JasTel2Network2International2Gateway,2TH,2Thailand2
TRIPLETNET>AS>AP2TripleT2Internet2Internet2service2provider2Bangkok,2TH,2Thailand2
ASMedi,2MA,2Morocco2
QTNET2Kyushu2Telecommunication2Network2Co.,2Inc.,2JP
UKRTELNET2JSC2UKRTELECOM,2,2UA
T>2>AS2T>2,22d.o.o.,2SI
LINKEM>AS2Linkem2spa,2IT,2Italy2
EIRCOM2Eircom2Limited,2IE,2Ireland2
CABO2SERVICOS2DE2TELECOMUNICACOES2LTDA,2BR,2Brazil2
TO2>CZECH>REPUBLIC2Telefonica2Czech2Republic,22a.s.,2CZ
SIOL>NET2Telekom2Slovenije2d.d.,2SI,2Slovenia2
COMCAST>79222>2Comcast2Cable2Communications,22Inc.,2US
SUPERLINK>AS2SuperLink2Communications2Co,2PS,2Occupied2Palestinian2Territory
ESTPAK2Elion2Enterprises2Ltd.,2EE,2Estonia2
TEKSAVVY>TOR2TekSavvy2Solutions2Inc.2Toronto,2CA,2Canada2
TELE2,2SE,2Sweden2
ELISA>AS2Elisa2Oyj,2FI,2Finland2
TSF>IP>CORE2TeliaSonera2Finland2IP2Network,2FI,2Finland2
5%
90%
Internet
%
of
clients
who
use
Googles
P-
DNS
and
other
resolvers
%
of
clients
who
exclusively
use
Googles
P-DNS
Map
client
IP
to
origin
AS,
and
select
origin
ASs
with
more
than
500
data
points
ASN Tests
AS22047
AS16232
AS37457
AS39651
AS12912
AS29562
AS23944
AS45629
AS45758
AS36925
AS7679
AS6849
AS34779
AS198471
AS5466
AS28220
AS5610
AS5603
AS7922
AS51737
AS3249
AS5645
AS1257
AS719
AS1759
DNSSEC&Validation
Validating Mixed None
Google&P3DNS
All Mixed None
5,376
1,818
2,051
860
613
1,263
749
8,759
15,833
1,012
551
6,301
1,043
722
1,463
563
2,094
1,505
43,438
753
1,093
1,993
880
655
1,080
98%
98%
97%
97%
96%
95%
94%
94%
93%
93%
93%
92%
91%
91%
90%
89%
88%
88%
87%
87%
84%
83%
83%
82%
82%
1%
1%
1%
1%
1%
1%
1%
3%
4%
2%
1%
3%
3%
4%
3%
2%
3%
3%
3%
9%
5%
2%
1%
2%
4%
1%
1%
2%
2%
2%
4%
5%
4%
3%
5%
6%
5%
6%
6%
6%
9%
9%
9%
9%
4%
10%
14%
16%
16%
15%
1%
2%
1%
1%
2%
2%
3%
1%
0%
25%
1%
5%
2%
95%
3%
5%
6%
0%
3%
97%
3%
3%
1%
2%
0%
0%
0%
0%
1%
0%
1%
1%
1%
2%
1%
0%
3%
0%
2%
1%
1%
7%
1%
1%
2%
1%
0%
1%
2%
0%
99%
98%
99%
98%
98%
97%
96%
97%
98%
74%
99%
92%
98%
4%
97%
94%
87%
99%
96%
1%
97%
96%
99%
96%
99%
VTR2BANDA2ANCHA2S.A.,2CL,2Chile2
ASN>TIM2TIM2(Telecom2Italia2Mobile)2Autonomous2System,2IT,2Italy2
Telkom>Internet,2ZA,2South2Africa
COMHEM>SWEDEN2Com2Hem2Sweden,2SE,2Sweden2
ERA2Polska2Telefonia2Cyfrowa2S.A.,2PL,2Poland2
KABELBW>ASN2Kabel2BW2GmbH,2DE,2Germany2
SKYBB>AS>AP2AS>SKYBroadband2SKYCable2Corporation,2PH,2Philippines2
JASTEL>NETWORK>TH>AP2JasTel2Network2International2Gateway,2TH,2Thailand2
TRIPLETNET>AS>AP2TripleT2Internet2Internet2service2provider2Bangkok,2TH,2Thailand2
ASMedi,2MA,2Morocco2
QTNET2Kyushu2Telecommunication2Network2Co.,2Inc.,2JP
UKRTELNET2JSC2UKRTELECOM,2,2UA
T>2>AS2T>2,22d.o.o.,2SI
LINKEM>AS2Linkem2spa,2IT,2Italy2
EIRCOM2Eircom2Limited,2IE,2Ireland2
CABO2SERVICOS2DE2TELECOMUNICACOES2LTDA,2BR,2Brazil2
TO2>CZECH>REPUBLIC2Telefonica2Czech2Republic,22a.s.,2CZ
SIOL>NET2Telekom2Slovenije2d.d.,2SI,2Slovenia2
COMCAST>79222>2Comcast2Cable2Communications,22Inc.,2US
SUPERLINK>AS2SuperLink2Communications2Co,2PS,2Occupied2Palestinian2Territory
ESTPAK2Elion2Enterprises2Ltd.,2EE,2Estonia2
TEKSAVVY>TOR2TekSavvy2Solutions2Inc.2Toronto,2CA,2Canada2
TELE2,2SE,2Sweden2
ELISA>AS2Elisa2Oyj,2FI,2Finland2
TSF>IP>CORE2TeliaSonera2Finland2IP2Network,2FI,2Finland2
5,331,072
7%
5%
88%
5%
5%
90%
Internet
Map
client
IP
to
origin
AS,
and
select
origin
ASs
with
more
than
500
data
points
Maybe
we
need
some
richer
signaling
in
the
DNS
for
DNSSEC
valida7on
failure
A
few
observa7ons
Measuring
what
happens
at
the
user
level
by
measuring
some
ar7fact
or
behaviour
in
the
infrastructure
and
inferring
some
form
of
user
behaviour
is
going
to
be
a
guess
of
some
form
If
you
really
want
to
measure
user
behaviour
then
its
useful
to
trigger
the
user
to
behave
in
the
way
you
want
to
study
or
measure
The
technique
of
embedding
code
behind
ads
is
one
way
of
achieving
this
objec7ve,
for
certain
kinds
of
behaviours
rela7ng
to
the
DNS
and
to
URL
fetching
Ques7ons?
APNIC
Labs:
c.net
Geo
Huston research@apni